Cisco CSA 4.2 + RADIUS + HP procurve switches
Hello!
We mixed network environment with cisco / HP hardware.
We are currently assessing the Cisco ACS 4.2 to manage network access network equipment.
Cisco equipment works very well, but we have problems the RADIUS and procurve switches (Ganymede works very well)
I googled around and it seems that you need to create a new '(VSA, Vendor) vendor-specific attributes' for procurve switches and the IETF radius settings according to the variables on the right which must match the HP equipment.
Problem is that I can't find this information online.
Anyone who manages to solve this problem?
Would really appreciate help!
Thank you
BR
Generally, you should download VSA for acs. You must get the HP ini file. Once you have you need create a vsa and transfer it to acs.
Because we need to add a specific seller attribute in the TAS, then we must first
Create a file 'accountActions.csv' using the format specified in "RDBMS synchronization."
Import definition', once we are ready with the file, then we must do an RDBMS
Synchorization folder of ACS (SE) and then go on:
Reports and activity > RDBMS synchronization and make sure that the synchronization has been
done it without error. Once this is done, you must re - start the ACS SE, then
We can create a new AAA client and use the new RADIUS (xxxx), and the attributes that we
added can be made visible for:
The interface configuration > and select the newly added Radius VSA attribute.
: RDBMS synchronization:
http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacsapp/CSA
PP40/ugse40/sad.htm#wp756877
: Import a definition RDBMS synchronization:
http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacsapp/CSA
PP40/ugse40/AG.htm
Kind regards
~ JG
Tags: Cisco Security
Similar Questions
-
How to restrict Internet access by using the RADIUS server via switch Catalyst 3560
Dear all,
I need a configuration using any. I have a small network of 15 users a 3560, which is in turn connected to a router ISR 2811. Interface fastethernet 0/24 switch 3560 I intend to connect to a unix based server RADIUS. ISP is connected on the opposite side of the 2811 to the fa0/0 interface.
I want to make is that if someone among the 15 users tries to access the internet, they must be validated in the RADIUS server by their pre-configured user credentials. (I'm going to store 15 user credentials here). If someone else tries to connect (except those 15) he or she should be denied internet access.
The RADIUS server will be having a login page to type the name of user and password.
Please guide based on what commands I should inject into the 3560 or what specifically, I need to have to run this task.
Thanks in advance!
Samrat.
I only did this in a very long time, but you probably want to do is activate the web authentication.
-
What VPN Cisco IOS VPN and RADIUS client?
Hello community,
My company are trying to set up the remote user VPN for all of our external collaborators to the help of our existing Cisco router and a RADIUS server in Active Directory.
I did all the AAA config on the router and set up the RADIUS, but I do not know what customer buy Cisco Remote and how to set up.
Anyone who knows this set upwards or it uses can be me help please we don't lose our money (and my boss time!)?
Thanks in advance.
Paul
Paul,
AnyConnect lets connect you using IKEv2/IPsec and SSLVPN for IOS network head.
There are countless examples of configuration.
Alternatively, some clients of IKEv1/IPsec 3rd party exists and are able to connect, however is those who are not TAC (Cisco) supported. You can check the feature called ezvpn
M.
-
Procurve switches update: should I shut down VMs on cluster that uses this switch?
I've update the firmware on our Procurve switch soon. It need to restart this switch. Should I close all the virtual machines on the cluster that this switch is used to communicate to our SAN via iSCSI?
I don't know that I made the question properly, then do not hesitate to ask for more information or clarification.
You want to disable HA on the cluster to blow course because if you don't switch redundancy to your ESX hosts you will have a failover of working capital. It would be advisable to stop or pause the VM as ise this switch for iSCSI storage access, however I did some tests on this and if no vm run they freeze literally just in time and as soon as the storage returns they pick up where they left off. I have to admit that I am impressed by the way the VM manages connectivity lose to their storage. That said you should technically their power off or suspend them.
SID Smith-
VCP, CCA (Server Xen), Hyper-V & SCVMM08 MCTS, CCNA and VTSP
http://www.dailyhypervisor.com
Don't forget to assign points for correct and useful responses. ;-)
-
AAA + RADIUS on Catalyst switches
The command "Switch (config) - radius... Server. 'doesn´t appear on my catalyst 3500. The catalyst IOS version is c3500xl-c3h2s - mz.120.5.WC5
How do I set the Ip address of the RADIUS server and port!
Concerning
I think I have the same version. As you can see below, the command is there.
#sh worm
Cisco Internetwork Operating System software
(Tm) C3500xl software IOS (C3500xl-C3H2S-M), Version 12.0 (5) WC5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Updated Wednesday 28 May 02 11:41 by devgoyal
Image text-base: 0 x 00003000, database: 0x0034A3C8
ROM: Bootstrap program is boot loader C3500xl
availability is 40 weeks, 15 hours, 35 minutes
System return to the ROM to reload
System restarted at 23:17:01 PUTS DST Monday, August 19, 2002
System image file is "flash: c3500xl-c3h2s - mz.120 - 5.WC5.bin.
processor of Cisco WS-C3524-XL (PowerPC403) (revision 0 x 01) with 8192K / 1024K bytes
memory.
Card processor ID FAB0513V068, with revision hardware 0 x 00
Last warm-reset Reset
Processor running Enterprise edition software
Control cluster capable switch
Switch to capable cluster member
24 FastEthernet/IEEE 802.3 interfaces
2 gigabit Ethernet/IEEE 802.3 interfaces
32K bytes memory simulated by flash not volatile configuration.
Basic Ethernet MAC address: 00:05: 9B: 93:13:80
Number of the motherboard: 73-3904-11
Power supply part number: 0851-34-02
Motherboard serial number: FAB051240RK
Power supply serial number: PHI050204Z8
Revision number of the model: A0
Model number: WS-C3524-XL-EN
System serial number: FAB0513V068
Configuration register is 0xF
#conf t
Enter configuration commands, one per line. End with CNTL/Z.
(config) #rad
(config) #radius-server?
attribute to customize certain attributes of RADIUS
challenge-noecho data the display echoing is disabled during the Access-Challenge
Configure nas try to download static routes and IP pools at startup
Deadtime time to stop using a server that is not responding
realized application allow the user to specify the radius server to use with [email protected]/ * /'
the host to specify a RADIUS server
encryption key by key shared with radius servers
The first application of RADIUS can be made without asking for a password optional-passwords
Specify the number of attempts the Active Server to retransmit
wait time wait time for a RADIUS server address
configuration of the provider attribute specific VSA
Hope this helps you
Leo
-
Cisco 2960, no mail, solid green system switch of death?
I have 2 - WS-C2960-24TT-L past. Both are facing the same question.
When they started, all lights are flashing on the indicator panel mode, then it goes directly to a solid green "SYSTEM." Nothing written on the console cable. I tried computers, cables, and different rates of transfer standard. None of the ports developed regardless of how long each switch is powered. The Mode key during boot produced the same result, nothing.
Looks like they are dead, however, I thought this would be the place to go for ideas. I can relive these switches?
Nope. Time for you to contact Cisco TAC and get the RMA - ed devices.
-
I am very new to Cisco ISE and Meraki. I try to get the Radius configuration for wireless authentication. When I do a test of the Meraki to ISE, it passes.
When I try to connect from my laptop, I look at the logs of the Radius and it passes; However, it does not connect me to good policy. I keep hitting the default policy. I have my Meraki police above the default policy in the strategy defined in article. I have attached what looks like my strategy game.
Devices does not really matter. Here is what I see when I create a device group (where you add the access point to this group), and then create the condition:
And here is where I create the condition of strategy game and you should be able to select the Meraki access points:
This will give you the condition similar to what I posted above. This is perhaps why you aren't hit that is not matching the condition for this game.
-
[Cisco AnyConnect] Certificate on RADIUS authentication
Hello
I use authentication and LDAP authorization certificates and it works fine.
Now, I want to centralize authentication and authorization on the server RADIUS (Cisco ACS in my case)
In the connection profile, we have 3 authentication methods:
- AAA: I can choose RADIUS server group or LDAP--> the user is prompted to enter the username/password credentials
- Certificate: I can't choose AAA server...--> user group will have to provide the certificate
- Both: I choose the RADIUS or LDAP--> the user is prompted for username/password credentials and the user must provide the certificate
If I choose the certificate authentication methods, I can't delegate the authentication and authorization of RADIUS server.
Is there a solution to delegate the authentication of the certificate to the RADIUS?
I have different authorization for each VPN connection profile rules
ASA can send a VPN connection profile to the RADIUS? (in the RADIUS attribute...)
Thanks for your help,
Patrick
Patrick,
The essential in deployments using WLC is begging on client can talk to EAP (including EAP - TLS) so the AAA server can authenticate the certificate.
In the case of Anyconnect, or old IPsec client there is no way to send the full cert to server AAA (not implemented/redundant from the point of view of the customer, or not in the standard).
IOS also gives you a possibility to make calls for authorization of PKI:
AFAIR is no similar mechanism on the SAA.
M.
-
[Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid
Hello
I had a lot of Cisco AP related to Cisco WLC 2.
On each WLC, I configured a primary and a secondary RADIUS server.
RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
ACS primary and secondary configurations are synchronized.
There is no problem between primary rules WLC and Cisco ACS (primary and secondary).
When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.
WLC secondary contacts automatically secondary Cisco ACS and it works fine.
Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."
The two Cisco ACS are synchronized, so I should have the same error on them...
Why primary ACS generates this error?
Thanks for your help,
Patrick
Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.
Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.
HTH
Amjad
Rating of useful answers is more useful to say "thank you".
-
Cisco 6248 FI to Brocade 6510 SAN switch shows Link Down
Hi all
His new installation of Cisco UCS with Brocade SAN switch 6510.
I followed the Cisco UCS to Brocade connectivity Guide.
Even if the switch side so FI link is not coming. No lights are glowing.
When I checked the switchshow @Brocade 6510, ports are No_Light status display. Where in other ports, it indicates the number of my storage device WWN.
At the END, when I click on ports CF, its projection on all State - link down.
Any who are facing this problem. ?
Am I missing some configuration steps?
Kind regards
Praveen
This should be a trivial or a very complex problem. I'd rather commonplace.
Brocade is a CF 16 G switch; up to 8 G negotiation seems to work (storage subsystem).
Maybe you could try to set the speed on the Brocade 8G port fix!
Or something with the cables is wrong? Send / receive Crusaders?
Are shortwave of the MMF SFP? cables connection as well?
Connect cable from port for example. 31-33, 32 to 34 and see if it works?
-
Cisco WSA: What is RADIUS CLASS attribute?
Hello!
I am trying to use a radius server Cisco ISE as a server external authentication for ASO. I would like to assign roles to groups of users, but I do not understand the meaning of the RADIUS CLASS attribute. What should I write in this area?
Thank you
Stephane Walker
The attribute CLASS is generic, you can put anything in it. So you get to decide what you use.
In the box of your RADIUS, for users or the group who it applies to, set it to something like "WSAAdmin" for admins, "WSARO" for read only users...
Then, when you config the WSA, you set them correctly he...
But you can really use any string you want, they just need match the appropriate way.
HTH,
Ken
-
Greetings. First of all, let me start by saying that I am a fool, I know I am a fool and I apologize for wasting everyone's time. In fact, I do RTFM, RTFMs a lot, and I've yet to find a resolution.
Secondly, I am setting up a RADIUS server in my test network. I installed Yopougon RADIUS on a Windows 2000 System. I have the following Setup on my Cisco 2611 router:
With the help of 2297 off 29688 bytes
!
! 17:20:27 PDT configuration was last modified Tuesday, May 20, 2008
! NVRAM config update at 17:20:29 PDT Tuesday, May 20, 2008
!
version 12.1
no single-slot-reload-enable service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
!
host Tester name
!
logging buffered debugging 10000
AAA new-model
RADIUS AAA server group RadiusServers
ACCT-port of the server 172.26.0.2 auth-port 1812 1813
!
Group AAA authentication login default local RadiusServers
AAA authentication login local localauth
AAA authentication ppp default if necessary to group local RADIUS
AAA authorization exec default local radius group
RADIUS AAA authorization network default local group
AAA accounting delay start
start-stop radius group AAA accounting exec by default
start-stop radius group AAA accounting network default
AAA process 6
Select the secret xxx
!
test username password xxx
!
clock timezone PST - 8
clock summer-time recurring PDT
IP subnet zero
no ip domain-lookup
!
no ip bootp Server
!
interface Loopback0
the IP 192.168.0.1 255.255.255.0
!
interface Ethernet0/0
Description for the main network
address IP X.X.X.X 255.255.255.128
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
full-duplex
No cdp enable
!
interface Ethernet0/1
Description of network internal
IP 172.26.0.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
load-interval 30
full-duplex
No cdp enable
!
IP nat pool test X.X.X.X-X.X.X.X netmask 255.255.255.128
IP nat inside source list 3 pool overload test
IP nat inside destination list 3 pool test
IP classless
IP route 0.0.0.0 0.0.0.0 X.X.X.X
no ip address of the http server
!
radius of the source interface Ethernet0/1 IP
access-list 3 permit 172.26.0.0 0.0.0.255
not run cdp
public RO 15 SNMP-server community
secret key of acct-port 1812 auth-172.26.0.2 - RADIUS server host port 1813
RADIUS server retransmit 3
key secret RADIUS server
!
Line con 0
password xxx
Synchronous recording
line to 0
line vty 0 4
access-class 10
1234567890 7 password
Synchronous recording
!
NTP-period clock 17208108
Server NTP 192.43.244.18
end
My RADIUS server is in place and respond to queries, but my router does not seem to be transferring applications to authenticate to it. In fact, when I connect to the router using HyperTerminal, it expires, and I find myself authenticate locally.
I don't really like if my Cisco equipment authenticates with the RADIUS server, but I have to get set up to authenticate my users so that I can follow their time online. What I missed in my router configuration? Therefore no transfer requests to the RADIUS Server user authentication.
Thanks for any assistance, you may be able to provide.
If you explore the authentication Proxy and it works, it could make you forget the PPPoE fast enough.
If you decide to pursue PPPoE, the following link is probably where you will find most of the information on the configuration of Cisco PPPoE:
http://www.Cisco.com/en/us/Tech/tk175/tk819/tsd_technology_support_protocol_home.html
"Providers" of Cisco forums could provide some guidance if PPPoE is achievable with your platform and environment?
-
Cisco Standalone AP with the dump unmanaged switch
Dear friends,
Can there be a problem if I connect standalone AP with switch, all cause of loop or something?
Thank you
If it is a simple network that if we use only one VLAN, there should not be any problems.
Thank you
Emilie
* Please note the post if you find it useful. *
-
Cisco Nexus to use authentication Radius AAA using Microsoft 2008 NPS
I have a Nexus 7010 running
I was wondering if you can help me with something. I'm having a problem with the approval of the order through our aaa config. We have not an authentication problem of command approval that does not work. From what I've seen and read Nexus NX - OS 6.x has not all orders for the aaa authorization, unless you configure GANYMEDE +. My basic config is below if you can help would be much appreciated.
> ip source interface mgmt radius 0
> key RADIUS-server XXXXX
> host X.X.X.X key radius server authentication XXXXX accountant
> RADIUS-server host X.X.X.X XXXXX key authentication accountant aaa
> authentication login default group aaa authentication Radius_Group
> RADIUS server logon group console local aaa Radius_Group
> server X.X.X.X
> server X.X.X.X
> mgmt0 interface-source
Also nobody how to configure Microsoft 2008 NPS as Raduis server to work with Nexus? I read a few post that suggests to change the
Shell: roles = "vdc-admin" in the value field of the attribute in the RADIUS server
Anyone know if it works?
Thank you
I haven't used NPS before but sounds like you are on the right track. As Ed mentioned in his post, GBA, you can set the type of protocols that you will accept during an authentication session. Authentication Nexus sessions is considered as PAP/ASCII, so you should be good to go. I don't have a Nexus switch to test with, but if you can use wireshark to capture the session and see the exact protocol / method used. However, I am sure that PAP is the way to go:
http://www.Cisco.com/c/en/us/TD/docs/switches/Datacenter/SW/4_1/NX-OS/se...
I also found the link that you might find useful:
http://www.802101.com/2013/08/Cisco-Nexus-and-AAA-authentication.html
Thank you for evaluating useful messages!
-
Switches: RADIUS or GANYMEDE?
Hello
So far I've managed my switches with GANYMEDE +, but now I have deploy 802. 1 X, requiring RADIUS only.
For all I know, ACS (I use 4.2) allows you to set a device using only GANYMEDE or RADIUS, but not both.
Am not mistaken? Or there is a way to define an AAA client to communicate with the ACS even using two protocols?
Assuming I'm right, I then considered the following options:
-Configure all switches to use radius for any service (authentication, authorization ec etc.) this makes it easier, but I lose the GANYMEDE services + for switches. What a big loss?
OR
-Configure L3 switches to use a second closure, just for the RADIUS services. It would always use the GANYMEDE + but would require a new network for the service RADIUS; In addition, switches L2 does not support both IP addresses and would require anyway a migration to the RADIUS.
A considerable administrative burden, in other words.
I'm not ready to deploy a second RAY (ACS, Windows, whatever), right now.
The key point is this: reading autour I see documentation Cisco recommends always using GANYMEDE + for management, but in this case is not possible. In general, whenever the unit has a role of network entry (switch or access point) RAY seems to be the Protocol of choice. Moving to the RADIUS would have some drawback or a change in the communication protocol? (I know the difference between GANYMEDE + and RADIUS: tcp, udp vs, vs whole package of only the password encryption encryption).
Thanks anticipately
C
Hello Carlo,.
You can keep using GANYMEDE + for device management and RADIUS to 802. 1 x, with no need for an additional IPN focuses on additional servers or IP on each managed device.
4.2 ACS allows allows you to set two AAA Clients with the same IP address, one for GANYMEDE + and for RADIUS, however, the host name must be unique.
Then, on the switch, you can define the same ACS server as a server radius and Ganymede-server host, configure the controls of "aaa" to connect to the console and pointing to the GANYMEDE server authorization + and part dot1x pointing to the RADIUS server.
What you're looking for is feasible and it is normal to use GANYMEDE + for device management and RADIUS for 802. 1 x.
I hope that answers your questions.
Kind regards
Federico
--
If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.
Maybe you are looking for
-
How to record a final product of my video on my desktop in iMovie?
Hello I finished creating a movie with iMovie 10.1.1. The film is about 860 MB. What I want to do now is to save a copy to my office so that I can see it when I want without having to open iMovie. I open my project in the project library. I insist on
-
Satellite A100-237 / PSAA9 - how to enable AHCI (SATA Native mode)?
Hello I have the Satellite A100 - 237 (PSAA9) and I would like to activate the AHCI (SATA Native mode). But in the BIOS there is no settings as AHCI or SATA mode. Is it possible to enable it in any other way (hidden fixing, utility sw)? Or only new s
-
How can I tell what version of quicklaunch drivers I have?
I can't find it listed anywhere in the Device Manager. How can I tell which version of the driver buttons to Quick Launch I have on my HDX 18?
-
key Vista cd error! problem installing Vista sp 1.
(1) I got an error message saying that my product purchase cd key is already in use. I have to buy another key, enter a new key, or use the automated phone system. Free number listed is not a free call and turned out to be too expensive. Howe else ca
-
To change the shortcuts in Windows via the registry?
Hi, I try to find the best way to ensure that special keys (play, stop, skip, windows media center (on the remote), etc.) open different programs that they were initially designed to open. Specifically, I want to do the 'Windows Vista Home Premium' t